Metasploit Pro v4.11

Metasploit Pro v4.
11
Installation and Usage Class
Michael Lai
Senior Security Sales Engineer
CISSP, CISA, MBA, MSc, BEng(hons)
©Rapid7, LLC 2015 All Material is Privileged & Confidential

Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques
2
Unified Vulnerability Management
Nexpose offers an all-In-One Solution for Scanning Your Entire Network
• Includes web application security, database security, network security and penetration testing
capabilities
• Allows users to secure more assets with fewer resources despite the rapidly changing threat
landscape
Rapid7 Nexpose, which received the highest

rating of “Strong Positive” in Gartner’s
Market scope for Vulnerability Assessment
2010-2013, leverages one of the largest
vulnerabilities databases to identify
vulnerabilities that represent the greatest
threat to your organization.
3
Metasploit Pro
Metasploit Pro is enterprise-grade software for security professionals who specialize in
penetration testing and require an advanced solution for multi-level attacks that
enables them to get deeper into networks more efficiently.
• Emulate realistic network attacks based on the leading Metasploit Framework
• Test with the world's largest public database of quality assured exploits
• Complete penetration test assignments faster by automating repetitive tasks and leveraging
multi-level attacks
• Assess the security of Web applications, network and endpoint systems, as well as email users
• Tunnel any traffic through compromised targets to pivot deeper into the network
• Collaborate more effectively with team members in concerted network tests
• Customize the content and template of executive, audit and technical reports
4
Some vital vocabulary…
Vulnerability - a security hole in a piece of software, hardware or operating system that

provides a potential angle to attack the system.
• A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection
vulnerabilities.
Exploit - a small and highly specialized computer program whose only reason of being is to
take advantage of a specific vulnerability and to provide access to a computer system.
• Exploits often deliver a payload to the target system to grant the attacker access to the system.
Payload - the piece of software that lets you control a computer system after it’s been
exploited.
• The payload is typically attached to and delivered by the exploit.
5
Vulnerability Detection & Verification
Verification and Exception: Vulnerability reference, Metasploit integration,
individual/site/global exception
Risk Assessment
System and vulnerability
Vulnerability Management Penetration Testing

& Configuration & Threat Validation
Assessment
Risk Validation
Exception list and exploited group
6 6
Metasploit Pro Workflow
7
Lab Environment
Metasploit – Metasploit server

Metasploitable – Linux with vulnerability for attack
WinXP – Window with vulnerability for attack
8
Agenda
9
Initial Setup, User & Project
Student will know how make the Metasploit ready
- How to run initial setup
- How to manage user
- How to build a project

Metasploit Pro Workflow – Launch Metasploit
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence
Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions
Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports
Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing
Post-Exploitation
Modules
Social
Engineering
11 Use Web
Exploiting
Initial Setup
Go to “Administration > Software Updates”
Ensure all information is correct
• Product Key
• Product Edition
• Registered To
• License Expiration Date
Run “Check for Updates”

Ensure that host can access
updates.metasploits.com (may be blocked
by URL filtering as hacker category)
12
User Manager
Go to “Administration > User Administration”
Manage user (e.g. add/delete), need extra user license
“Administrator” role can access all projects, manage users, and apply
software updates
13
Metasploit Pro Workflow – Create a Project
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
14 Use Web
Exploiting
Working with Projects in Metasploit Pro
Projects provide a way to organize your penetration test
• Consists of a name, network boundaries, and users authorized to work on them
• Network boundaries help you set and maintain scope
• Individuals can be added or removed from projects
• Anyone is granted to access to a project will have full privilege on this project
15
Create A Project
On the home page, click “New
Project”
Input name and IP range

“Restrict to network range” will
limit to exploit the input IP range
only (e.g. cannot go further via
VPN Pivoting)
16
Project Management
By clicking the “Home”, all available projects will be shown
Individual project can be selected under the “Project”
Select a project to go to it, delete it or edit it
17
Metasploit Pro Look & Feel
The GUI is designed according to the penetration test workflow.
18
LAB - Project
Each student create a project to cover the targeted IP (Metasploitable2

and Windows XP)
To access the project dashboard
19
Questions
Which IP(s) or IP range(s) is included in the project?

What you can see on the Dashboard?
20
Agenda
21
Discover Devices
Student will know how to run scan to fit for his need (environment
limitation) and collect the information for further exploit.
- How to run a scan
- How to import scan result
- How to integrate with Nexpose
- How to find vulnerability

Host Discovery
Three ways to perform host discovery

• Scan using built-in tools and modules
• Import results from other tools
• Nexpose the target network
Choosing the right approach

• The built-in Scan is comprehensive and configurable
• Import works when you already have scan data
• Nexpose is great when you want a full assessment
23
Metasploit Pro Workflow – Use the Scan option
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
24 Use Web
Exploiting
Discovery Devices: Scan
Go to the project and click button

Input the address (range), press at bottom right
25
Advanced Target Settings
Go to the scan page again and click
Nmap parameter and the ports setting can be customized
Click the “?” for more of the field
26
Scan
Scan is optimized for fast and accurate discovery
• All TCP ports are used to send SYN probes, includes ICMP (3 types), UDP, and ACK probes
• Great at detecting firewalled systems
Make sure all common ports are used

• Identify a few systems by hand and scan 65535 ports
• Add any extra open/allowed ports to the list
Useful options for additional discovery

• Specify the TCP source port of the probes
• Custom Nmap command line arguments
27
Discovery Settings
Portscan speed and timeout will affect the network utilization
Extend the host timeout for large or slow network
• Nmap throws away partial results on timeout, set longer timeout
Stealth: is it necessary?
• Any firewall, IPS, flow control
“Dry run” will simulate the scan and

show task log
More options selected, more operation
will be run hence slower the scan
28
Discovery Credentials and Automatic Tagging
SMB credential will be used for share and username discovery on a Windows
network , or on hosts running Samba.
OS tag (e.g. os_windows) can be added automatically.
Web scan will be covered later.
29
Task
The Tasks page is a real-time log of user-initiated activities (e.g., discovery,
bruteforce, exploit, and cleanup), their completion status, and the duration
of completed tasks.
Task(s) can be stopped or replayed. But you cannot pause and resume it.
30
Discovery Devices: Scan Task
• Once starting a scan, the Discovering task will be shown
Green Messages – Good status indicator, designed step can be run
Red Messages – Bad status indicator, designed step cannot go further
Yellow Messages – Successful operation then can go further such as service scanned, exploit
indicator, credential found or session built
31
Passive Discovery
Metasploit will discover the host by monitoring the network traffic. No network
connection will be built in the scan process to avoid detection.
By default, broadcasting traffic is monitored. Specific traffic (e.g. HTTP) can
be monitored but you need to ensure that Metasploit can view it (e.g. mirror).
32
LAB – Discover Device
Scan the two IP in the lab

Disable all the options in Discovery Settings
Enable the “Automatically tag by OS”
Check the result on “Analysis > Hosts”
33
Questions
Where shows the time used to scan?

Where shows any new host found?
Can you see the OS tag? What are they?
Can Metasploit scan find out any vulnerability?
34
Metasploit Pro Workflow – Import your own scan data
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
35 Use Web
Exploiting
Import
Click Import on the manual bar, select the

file, site, etc
Click the question mark to see the supported
file types
Not all data formats are created the same
• If the import is hostname, ensure that it can be
resolved in Metasploit
• OS information is often wrong due to bad sigs and

service information is not as deep as Scan
36
Metasploit Pro Workflow – Use the Nexpose scan
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
37 Use Web
Exploiting
Nexpose
Launch Nexpose scans directly from Metasploit Pro
• Works with Nexpose to find out not only host information but also vulnerability
• Configure the scan targets, template, and credential
• Benefit: offload the scanning job to Nexpose (image you have deployed 100+ Nexpose
scan engine for 20K+ IP in 100+ network segments)
Useful for quick vulnerability assessments

• Large scans are better done through Import to avoid time out issue
• Two supported import formats: XML (Export) – Enterprise Edition only, XML (Simple) –
Supported by Community
• Protip: Choose Export over Simple
38
Add Nexpose Console
Add the Nexpose Console connection under “Administration > Global Settings”
Click “Configure a Nexpose Console” to add or edit
The logic is Metaploit controls Nexpose
39
Nexpose Launcher
Click “Nexpose” on the manual bar to launch
Nexpose scan template can be selected
40
Nexpose Scan Task
A scan task will show the real time finding
Different from Metasploit scan, Nexpose scan will find the vulnerabilies
41
Active Recon: Viewing Vulnerability
Go to “Analysis > Vulnerabilities”
The vulnerabilities found for all hosts will be shown
Click reference icon to check the vulnerability info from Web
42
LAB - Nexpose
Add a Nexpose Console

Launch a Nexpose scan “Penetration Test Audit”
43
Questions
What is the main difference between Nexpose scan and Metasploit scan
in discovery phase?
How can you check the vulnerability information?
If you need to share the Metasploit scan with your colleague and each
of you has an independent Metasploit installation, what can you do?
44
Metasploit Pro Workflow – Import your own scan data
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
45 Use Web
Exploiting
Scan Results
The hosts tab (Analysis > Hosts) will display the detected nodes.
The OS tags will be shown if “Automatically tag by OS” is enabled
Vulnerability will be shown if scanned by Nexpose or host is exploited
46
Hosts Status
A Hosts Status is at the rightmost column

The statuses are:
• 1. Scanned – A device has been discovered.
• 2. Cracked – Credentials were bruteforced but no session

was obtained.
• 3. Shelled – An open session was obtained on the device.
• 4. Looted – Evidence has been collected from the device.
47
Network Topology
Network Topology tag will show how you reach the devices, e.g.
direct, through a router or firewall
48
Host Tagging
Host tagging is assigned as an identifier with a description to the host(s).
Tags can be used to organize assets, create work queues, and track findings
for automatic inclusion into the generated reports.
Click the hosts and click “Tag” on the manual bar to add.
2
1
3
5
4
49
Host Information
Click an address to the host detail
Tag can be added, host information can be edited.
50
Host Sessions
The Sessions tag shows the active/completed sessions and applied module
Proof of gaining access to a host (more in next section “Gaining Access”)
Click the active session to run payload (e.g. collect evidence)
51
Host Vulnerabilities
The scanned vulnerability and success module to exploited are shown
Click the reference icons to access more information from web
52
Modules
The modules associated to the scanned vulnerabilities are shown
It can be launched to validate the vulnerability
53
LAB - Hosts
Add a tag to group two hosts

Add a comment to a host
Locate a vulnerability and check the information on web.
54
Questions
Why does a host have “Looted” status?

If you want to group some hosts, what you should do?
55
Agenda
56
Exploit Basic
After this section, student will know the basic components to manage
exploit and bruteforce
- What is payload
- What is module
- What are client-side attack and server-side attack

Understand Payload
Payload is the code run at the exploited host to deliver a shell to you
Two payload options for exploit and bruteforce
• Meterpreter enables users to control the screen of a device using VNC and to browse,
upload and download files.
• Command Shell enables users to run collection scripts or run arbitrary commands against
the host.
If Meterpreter is selected and it fails, then Command Shell will be used

More discussion in “Take Control of Sessions”
58
Meterpreter: What Is It?
Meterpreter is an advanced dynamically extensible payload that uses in-

memory DLL injection stagers (Windows Only).
Stealthy: Powerful:
• only in memory nothing to disk • channelized communication system
• no process is created • extension are loaded over TLV (TLS/1.0)
• encrypted communication
Extensible:
• features can be loaded over the network to the target
• new features can be added to Meterpreter without rebuilding it
59
Modules
Anyone can develop a module contributed to the community
Leverage all Metasploit modules from one place
• Simple to use search interface with keywords
• All standard exploits extended to target a range
• Use any modules you already know and love
Granular control of module options

• Specify and override any standard options
• Exposes the Advanced and Evasion options
Payload selection is nearly automatic

• Choose Meterpreter vs Shell, choose Reverse vs Bind , select the port range
60
Modules
Click the “Modules” on the top manual bar
Module statics and search keyword format are shown, e.g. CVE, EDB
4+ stars reliable to be used in production (6 levels: 5 - Excellent, 4 -
Great, 3 - Good, 2 - Normal, 1 - Average, 0 - Low)
61
Server Side Attack
Metasploit acts as a client to exploit a server
E.g. a Win XP is exploited - MS10_061 which is a vulnerability on SMB port 445.
62
Client Side Attack
Metasploit acts as a (web) server to exploit the client connecting to it.
Example, a Win7 is exploited via a vulnerability in IE
63
LAB – Module and Exploit
Search “app:server” for Server-Side Attack module

Search the module about “Aurora”
Check the detail of Aurora
64
Questions
For Server-Side Attack, do you need to setup listening IP and port?

What is the CVE code of Aurora?
Is Aurora a “Client-Side Attack” or a “Server-Side Attack”?
Is there a listening port for Aurora?
65
Agenda
66
Gaining Access
After this section, student will know the two methods (Bruteforce and
Exploit) used by Metasploit to gain access (session built)
- How to exploit
- How to run Bruteforce

Metasploit Pro Workflow – Run Automated Exploits
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
68 Use Web
Exploiting
Automated Exploit A Host For Server Side Vulnerability
Select a host then click “exploit
2
Select the “Minimum Reliability”

• Low – all matched modules
• Excellent – only matched never crash modules
• Other – between Low and Excellent

4
Click “Show Advanced Options” 3
69
Exploit: Targeting, Payload
Ignore known-fragile devices: weak devices are
selected by the device fingerprint
Payload controls
• If Meterpreter fails, then will try Command Shell
• Select Auto, Bind or Reverse
• Listener Ports and Host are for reverse connection
• Macro is a set of operation to be run
Dynamic Stagers to generate different payloads

to avoid AV detected
Stage Encoding encodes payload in transmission
70
Smart Exploit – Match & Apply
Matching
• OS
• open port (service)
• vulnerability reference (from Nexpose)
Priority
1. Vulnerability reference
2. Reliability
3. Oldest
Apply – Avoid concurrent exploit of the

same host and port
Sessions appear as the exploits succeed
71
Exploit Advanced Settings
Set concurrent exploit, timeout and limit one session only
Transport Evasion (TCP, UDP, SMB, DCERPC): "Low" inserts delays between TCP
packets, "Medium" sends small TCP packets, "High" applies both.
Application Evasion (Fragments): For DCERPC, SMB, and HTTP-based exploits.
Higher levels of evasion indicate more aggressive evasion options.
“Dry run”: run an exploit correlation, print a transcript of the selected exploits,
and immediately quit.
72
LAB - Exploit
Select hosts WinXP and Metasploitable and exploit with “Great Reliability”
Check the sessions on these two hosts
73
Questions
What is the proof of a successful exploit?

If you want to exploit a fragile host, what configuration you need to
set?
74
Metasploit Pro Workflow – Run Manual Exploits
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
75 Use Web
Exploiting
Module Search Example
Search a module
• “name: vulnerability_keyword”
1
• “cve-xxxx-xxxx”
Click the module link use the

module 2
Input the necessary setting
such as Target IP
Click Advanced and Evasion
to fine tune the module
Click Run Module to start 3
4
76
Re-open Session Via Module
Go to the “Sessions” page
Click one “Attack Module” for Metasploitable2 under “Closed Sessions”
You can re-run a successful module to validate the vulnerability has
been fixed or not.
77
Metasploit Pro Workflow – Bruteforce Targets
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
78 Use Web
Exploiting
Why Bruteforce
Most incidents are due to break into an account

To test the weak password
To test the downloaded dictionary
To validate the old password has been changed at all devices
To test the impact if a credential is disclosed
79
Credential Management – Manual Input
To add your credential to test

Click “Credentials > Manage” and 1
2
then “+Add”
For “Manual” input, you need to
select the “Realm Type”. If only
text, set “Realm Type” to “None”. 4
“Public” is the login ID and

5
“Private” is the secret such as 3
password, SSH key and Hash.
80
Credential Management – Export
You select credential to be exported or just click “Export” to export all
Choose the format and export all rows or selected rows
Save and open the export file, you will get the csv file format to upload your
credential
2
3
1
5 4
81
Credential Management - Import
Add your credentials to the CSV file, the uploaded CSV file must be zipped
A message of successful import and the new credential will be shown
82
Credential Reuse – TARGETS
To use the credential collected from an exploited host and added/imported
A table of scanned services is listed, filter can be applied
Select the target(s) and add target(s) to the list 1
2
4
83
Credential Reuse – CREDENTIALS
The credentials added/imported manually and collected from exploited host are
listed. Filter can be applied.
Tips: click will show the advanced filter (also for TARGETS)
Select the credentials and add them to the credential list
4 2
1
84
5
Credential Reuse – REVIEW
Review the targets and the credentials, delete the item if needed
“Validate only one credential per service” Once a credential has been validated
for a service, Credentials Reuse will stop testing with other credentials.
Be careful that some accounts will be locked after a few login failure
Timeout can be set
4
Click LAUNCH to start
85
1
Credential Reuse – LAUNCH
Statistics include attempt times, validated credentials, validated targets and
number of successful logins.
All tested credentials and result shown in the table which can be exported.
86
Bruteforce - TARGETS
Click “Credentials > Manage” 1
“All hosts” will set all the discovered hosts as targets

Target host and service must have been discovered. If
2
input a host not on the project host list, then
bruteforce cannot start.
3
More services selected, longer time is needed.
Beware that some services (e.g. SSH, Telnet) will take
long time to test.
4
87
Bruteforce - CREDENTIALS
“All credentials in this project” will apply all input 1

and collected credentials in this project
2
“Attempt factory defaults” will use the built-in
dictionary, including the factory default e.g. Cisco 3
You can input up to 100 lines of extra credentials

4
You can upload your dictionary with the format shown
in the “Credentials” text box.
5
Select “Use <BLANK> as password” and “Use
username as password” to fit for the uploaded file. 6
88
Bruteforce - OPTIONS
Set the timeout and “Time Between Attempts” to avoid account locked
Mutation will amend the existing password to create new one, e.g. base on
“password” to create “password1”
You can stop bruteforce once a login is successful
Different from REUSE, session can be built by Bruteforce hence payload can be
set 1
4
2
89 3
Bruteforce - Task
The “SUCCESSFUL LOGINS” tag shows the successful information
If a session can be built, the “Attack Module” will be something like
LOGIN_CREDENTIAL
90
LAB - Bruteforce
Run a Bruteforce task

• On the target WinXP and Metasploitable
• Only select services “SMB” and “SSH”
• Select “All credentials in this project” and “Attempt factory defaults”
• Select “Get session if possible” and “Obtain only one session per host”
Check the host “Status”, the host “Credential” tag and the active
sessions on two targets
91
Questions
If you want to test any Window Domain user is using blank password,
what should you do?
If you want to test any device or application which is using factory
setting password, what should you do?
If your company has some common passwords used in lab, how can you
check them in production environment?
Can you login the Metasploitable now? If yes, what is the login ID and
password?
92
Agenda
93
Take Control of Sessions
Student will know what can be done at the target
- More about payload (Meterpreter, Command Shell)
- How to build session from a module
- What can be done on a session

Metasploit Pro Workflow – Take Control of Sessions
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
95 Use Web
Exploiting
Meterpreter Session Example
Under “Sessions”, click an active 1
session
2
Session type (e.g. Meterpreter),
privilege acquired and module used
will be shown 3
A list of available actions are

shown (will discuss below)
96
Session History
The “Session History” tag shows what command (e.g. VNC) and script (e.g.
VPN.rb) have been run, and also the output (e.g. browse file system)
Useful for auditing: what has been done.
97
Metasploit Pro Workflow – Collect evidence
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
98 Use Web
Exploiting
Collecting Evidence
Metasploit can collect system data as evidence
Automatically collect system data from exploits on target systems after
gaining access
Evidence can be used for further analysis and penetration
The evidence typically includes:
• System information
• Screenshots
• Password hashes
• SSH keys
• Some files and data
99
Collect System Data
Collect System Data:
• System Information (OS information), Passwords,
Screenshots, SSH Keys, etc
• Download files matching a pattern
Password and SSH Key collection

• Automatically escalates to SYSTEM
• Registry-based hashdump collection
• Grabs passwd/shadow files on Unix
• Hashes/Keys can be replayed
• Everything stored as evidence
• Can be used in bruteforcing

100
Metasploit Pro Workflow – Meterpreter
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
101 Use Web

Exploiting
VNC Session
Meterpreter sessions allows you to obtain a VNC session

You are provided with two methods of connecting to the remote desktop:
• connect to the desktop using the provided address configuration
• connect using a Java Applet
Metasploit Pro has a VNC client in the form of a Java applet. Please install the
latest Java for your platform
An external client (VNC Viewer) can be used
102
Access Filesystem
Shows all mapped drives to your

current user session*
Browse directories, download,
upload, and delete
All uploads/downloads are logged
as evidence
103
Search Filesystem
Quickly find sensitive documents

Click the file to download it
3
104
Command Shell
Use “help” to show the available command, Meterpreter Payload has

its own command set. Command Shell Payload will use the OS shell
command.
Meterpreter Command Shell
105
Metasploit Pro Workflow – Create Proxy or VPN Pivots
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
106 Use Web

Exploiting
Pivoting through Sessions
Proxy Pivoting
• No encryption
• For TCP/UDP only, scan is not able to use SYN/ICMP scanning
• Reverse connections not automatically pivoted
• Objective is hiding Metasploit
VPN Pivoting
• Encrypted communication
• Creates a fully-functional interface on the Pro system
• Treat it like any other network interface, transparent, works by relaying Ethernet frames
• Objective is accessing a network that Metasploit does not connect to

107
Proxy Pivot
1
2
3
Using Proxy Pivoting
• Choose the Session you wish to pivot through • Active Pivot indicated in the top-left
• Click the Proxy Pivot action button • Disable pivoting by action button
• All tasks will route through the Pivot • Session termination stops pivot
Proxy Pivoting Tips

• Switch all exploits to use the Bind connection type
• Reduce the number of concurrent scans/exploits

108
Proxy Pivot Example
Without Proxy Pivot: if exploiting the Metasploitable, packet is between
192.168.152.10 (Metasploit Pro) and the target 192.168.152.129 (Metasploitable)
directly.
If Proxy Pivot is enabled at 192.168.152.133 (WinXP)
Metasploit Pro (192.168.152.10) runs an exploit to target Metasploitable (192.168.152.129)
via the Proxy Pivot at WinXP (192.168.152.133)
• According to the package captured at the Metasploitable, packets are only exchanged with
WinXP instead of Metasploit Pro.
109
VPN Pivot Workflow
1. The target must have two interfaces connecting to two different networks.
2. Exploit public facing system and deliver Meterpreter
3. Create VPN Pivot
4. VPN Pivot creates interface on attack machine with connection on far side of
compromised host
Public Private
Address Address Enterprise Network
1
Maintenance
Internet Interface
Attacker
DMZ
110
VPN Pivot 1
To build the VPN tunnel, you
need to select the remote
available network interface (the 2
remote network IP is shown)
If successful, a Tunneling task
will be run 3
The Metasploit host OS will have

the routing table updated
Be careful of the “Restrict to 4
network range” setting at the
5
project
111
Metasploit Pro Workflow – Post-Exploitation Modules
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
112 Use Web

Exploiting
Post-Exploitation Modules
“Post-Exploitation Modules”
tag lists all the available
modules that can be run on
this session
Some need searching manually
Module Name What it does

persistence_agent Script to carry across reboots
packetrecorder Packet capturing

keylogrecorder Record keylogging to file
webcam New script to grab images or video from webcam

113
Post- Exploitation Modules Example
Find the “Windows Gather
Product Key” and click it
Click “Run Module”
If success, the key will be shown
on “Stored Data & Files” tag
114
Clean Up: Terminate Sessions
At individual session, click “Terminate session”
Or go to the “Sessions” page, click “Cleanup”.
Select the active sessions and then click “Cleanup Sessions”.
No more active session and all sessions are closed
2
4
115
LAB - Exploit
Create a proxy pivot and exploit the Metasploitable again. At Metasploitable,

use tcpdump to monitor connecion. The command is
• “sudo –i” + password “msfadmin” to switch to root
• “tcpdump –npi eth0” to capture the packet at interface eth0
Run “Collect System Data” on both two targets.

Run module “Windows Gather Credential Collector”
116
Questions
Which system user ID is used to build the session?

How can you take a screen shot?
How many credential (login ID + hash) can be collected?
Can you build the VPN pivot? Why?
117
Agenda
118
Web Application Testing
Student will know how to use Metasploit to exploit a web application”.
- The workflow to exploit a web application
- The common web application attack
- How to prove a web application is exploitable

Web Vulnerability Basic
Layer Example Solution Highlight
User Interface Web page, form, e.g. query page Customer needs to define the solution such as a
Code Self developed code, e.g. Java policy at the WAF or recoding.
Middleware Web service, e.g. Apache Vulnerability from the common software, usually
OS OS platform, e.g. Linux have well known solution, e.g. have CVE and
patch.
If there is a vulnerability at the middleware, it may appear at different

parameters on multiple web pages.
Some web vulnerabilities can be exploited such as SQLi and XSS.
Some web vulnerabilities can be used directly without any exploitation such
as sensitive information disclosure.
Some web vulnerabilities are configuration issue such as weak encryption.
120
Web Application Testing in Metasploit Pro
Integrated into the product under the Web Apps tab:
• Web Application Scanning: spidering web pages, looking for forms and active content,
detecting sensitive data leakage and configuration isssue
• Web Application Auditing: searching for exploitable vulnerabilities in those forms
• Web Application Exploitation: exploiting found vulnerabilities
121
Metasploit Pro Workflow – Use Web Scanning
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
122 Use Web

Exploiting
WebScan
You can start at
3
• Under a project “Web Apps > WebScan” (1, 2)
4
• “WebScan” on the project page (3)
• On the project page, click “Scan”, “Web Scan

Setting” and “Web Crawler Settings” will be shown
under “Show Advanced Options”. (4, 5)
5
2
123
WebScan
Seed URLs (URLs here is not
restricted by the project setting)
Max request per pages (more you set,
more your find)
Max amount of time per pages (longer
you set, more your find)
# of concurrent requests per website
Select the discovered web services
from previous scan or import
124
Advanced Options: URL access and Transport Layer Security
Sensitive data and controlled URL can be defined

If the weak encryption is due to known vulnerability (e.g. FREAK), it can be A9-Using
Components with Known Vulnerabilities
125
WebScan: Web Crawler Settings
Path can be excluded (e.g. *logout*)

Credential for HTTP basic/digest
authentication can be set (e.g. AD
authentication enabled on IIS)
Cookie is supported (only support static
cookie), you can login with a browser and
then copy the cookie here
HTTP user agent can be customized
126
Web Apps Found
The Web Scan finding will be shown on “Web Apps” tag
IP address, Web site URL, service name, number of pages and forms are shown
Form is where Metasploit will audit
Click “Show All” at the right to access the scanned vulnerability (more later)
127
Metasploit Pro Workflow – Use Web Auditing
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
128 Use Web

Exploiting
Running a Web Audit
1
Click “Audit Web Apps”
Audit will test the Web Apps by sending
2
common attack input (e.g. some charachers)
Max concurrent HTTP requests: higher it is,
faster the audit
Time limit/form: higher it is, more
vulnerability will be found
Select the Target Web Apps: Metasploit will
send different input to test the vulnerability
Check for insecure direct object reference:
129 A4 of OWASP 2013
Web Audit Result
Web audit result will be updated on the “Web Apps” page
The number of vulnerability is shown (e.g. 8 in example below)
Click the “High” under “Risk” column or “Show All” under “Vulns” column
to view the vulnerabilities.
1
130
Metasploit Pro Workflow – Use Web Exploiting
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
131 Use Web

Exploiting
Exploiting Web Applications
The web app with vulnerability is shown with kind of vulnerability (e.g.
SQLi, XSS), path, confidence level, method involved, parameter and proof
Click the “Path” URL for vulnerability detail (e.g. the XSS)
132
Web Applications Vulnerability detail
You can customize the field and replay the attack
For example, <script>alert(“Xssed”)</script> to test XSS, if it is GET,
then you can see the script on the URL
3
1
4
2
133
LAB – Web Apps
Run a “Web Scan” to find the web application running on the

Metasploitable.
Select the URL http://IP/mutillidae/ run the “Web Audit” for 10 minutes
(if using default to scan all web applications, it may take a few hours)
Try to replay a XSS attack with a customized words
• E.g. <script>alert(“Xssed”)</script>
134
Questions
What three steps are used in Metaploit to exploit web application?

Can you name some OWASP Top 10 2013 vulnerabilities?
What web vulnerability(s) can be detected during web scan?
In actual XSS attack, what is usually injected instead of Alert(“Xssed”)
which is used in the example?
135
Agenda
136
Reports
Student will have ability to take out data or information from
Metasploit.
- How to generate a report
- How to customize a report
- How to export data

Metasploit Pro Workflow – Generate Live Reports
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
138 Use Web

Exploiting
Reporting: Translating Results into Actions
2 1
Reporting can export the information you need

for further action
3
Click “Reports” tag to generate and view report
Click “Standard Report” to generate report 4
Different report types have different file format
options and different setting shown below
Give a name of the report
5 139
Some Report Setting Examples
Customized logo can be uploaded
Different report type has different sections
available
“Mask discovered credential” may be a good
practice
Result ordering is for Web App Assessment report
Report can be sent to some recipients once it is
generated, need to setup SMTP server in
“Administration > Global Settings”
140
Report Sample
Creating report will take some time (1)
Once created, the number of new available report will be shown (2)
You can click the report to view it (3)
2
1
141
Report Sample
The report view allow you to generate

other file format (1)
You can select the report and send to
other recipient (2, 3, 4)
You can download the report and delete 2
it (4)
1
4
3
5
142
Customized Reports
• Click the “Create Custom Report” to upload your report collateral (1)
• Report can be customized by Jasper iReport and template can be downloaded
at the bottom of the “Reports” page (2)
• Logo file and report template can be uploaded (3, 4)
1 4
2
143
Export Data
Project data can be export in XML and Zip Workspace to share finding with
another auditor
Password Dump can be reused in bruteforce
Replay script is used in console mode (command line)
1 3
4
144
LAB - Reports
In order to save time, please only select one host for below operations
Generate a standard report
Upload a logo and generate a custom report
Try to run “Export Data”
145
Questions
Can you generate a report in multiple formats?

Which standard report type should be used to view the detailed
credential found?
What format of export data should be selected for exporting NTLM
password hash?
146
Agenda
147
Social Engineering
Students will know Social Engineering is more about idea to find out
vulnerability at human (not system) to let him fall in the trap
- “Campaigns” is used to launch Social Engineering in Metasploit Pro
- How to use Web, Email and USB in Campaigns
- Common way to attract user

Metasploit Pro Workflow – Social Engineering
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
149 Use Web

Exploiting
Email Tricks and Delivering Executables
Why email?
• It is one of the fastest and easiest ways to create a data breach (if done right)
• Many people do not take the time to ensure that the sender is legit
• A response can be instant
A few tricks…
• Targets still trust .PDF
• You can create a fake email chain
• Play to the season
Delivery…
• Link sending user to malicious website
• Embedded payload downloadable from link within the email itself

150
Campaigns
Social Engineering in Metasploit Pro, click “Campaigns”“ on the manual bar
• Client-side exploits available via Modules • Customize web and email
• Web, Email, and USB modes • Easily combine all three
The objective of using campaigns is to test the users’ security awareness

and exploiting client system
151
Typical Phishing Campaigns
Give a name and select Phishing Campaign

Workflow:
• Send the phish email with phisling link (landing page)
• User open the email
• User click the link to the landing page (usually a form to

ask for sensitive data or with exploit stores)
• User input data to the form
• Use will be redirected to another page (e.g. show warning

message)
152
Phishing E-mail General Settings
Fill the General (envelope information): Subject, From address and
From name.
Tips: copy from real
153
Target List
Phishing email will be sent to the email address on the target list
The three fields (Email Address, First Name and Last Name) can be
used as variables in the content.
154
Phishing E-mail Content
Content supports rich text and plain text, you can copy from a real email
Insert the landing page URL to the correct item such as button
Customizing the space, add the variables: {{first_name}}, {{last_name}},
{{email_address}}.
Preview and save the E-mail
Plain text edit may be needed
155
Landing Page Settings
Click “Landing Page” to configure the web page content.
Set the path at the web server and redirect URL.
A good practice is set up a false login page and redirect to the real login page.
If “Campaign Redirect Page” is selected, you need to setup the redirect page on
the same web server.
156
Landing Page Content
Click “Landing Page” to configure the web page content.
Or you can clone the content from another Website.
Don’t forget the Preview
157
Configure E-mail Server and Web Server
Set up the E-mail Server (SMTP gateway) to send out email. Connection
will be tested once “Save” is clicked.
Web server must be the same IP/host of the Metasploit but you can set
any hostname. Support HTTP or HTTPS at any port.
158
Launch The Campaign
If everything is correct, the campaign is “Launchable” and it can be started.
Connection to the E-mail server will be tested once “Save” is clicked
159
Custom Campaign
Custom campaign has three components: Email, Web and Portable File (USB).
You can run component independently, e.g. only Web.
There are more attack type other than “phishing” for web.
160
Custom Web Campaign – Exploit & Autopwn
Exploit allows you to load one client side attack module
“Browser Autopwn” will fingerprint HTTP clients to exploit them automatically.
Next is 'DefangedDetection' which does only the fingerprinting part. Lastly, 'list'
simply prints the names of all exploit modules that would be used by the
WebServer action given the current MATCH and EXCLUDE options.
161
Custom Web Campaign – Serve File
“.exe agent” will place an agent exe file on the URL, usually this file will be
detected as backdoor code.
“.File format exploit” will load the selected File Format Exploit module which
usually will be detected as backdoor code too.
“User supplied file” allows you to upload a file to be loaded at the URL.
162
Custom Web Campaign – Java Signed Applet
Module “Java Signed Applet Social Engineering Code Execution” will run in the
background, exploiting client systems as they connect.
This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin,
then signs the it. The resulting signed applet is presented to the victim via a
web page with an applet tag. The victim's JVM will pop a dialog asking if they
trust the signed applet.
163
Start The Custom Web Campaign
Once a campaign is ready,

you can start it.
For attack type is Java
Signed Applet, a java
security warning will be
shown.
164
Real Time Campaign Status
Once a campaign is started, the “Findings” dashboard will come out to the
status such as module used, session built, email sent, etc.
165
Campaign Task Log
The task log shows the URL, loaded module for exploit attack type,
connected IP, email sent, etc.
166
Campaign Report
There is dedicated campaign called “Social Engineering Campaign Details”.
Select the Campaign’s data used in the report
167
Reusable Resources
The email templates, web templates and malicious files can be uploaded and
reused in any campaign.
Email target list can also be built here.
168
Spear Phishing
Targeted approach to phishing
Use information gathered from passive recon prep work done when
beginning the audit
Requires specific knowledge many times
Tactics used:
• Join similar social networks • Phone phishing
• Bribes and bargaining
Using MSP to Spear Phish…

• Look at the project view from a big picture to understand opportunities
• Attack related targets • Numerous potential payloads

169
LAB – Social Engineering
Set up a Custom Web Campaign

Set the Attack type as “Browser Autopwn”
User browser to connect to the web campaign URL and check the log
Generate the report “Social Engineering Campaign Details”.
170
Questions
Will the out-of-the Phishing campaign run exploit code at the target?
Which attack type will try multiple client side exploit module?
171
Agenda
172
Advanced Techniques
Students will learn the technique of some automated work to improve
the efficiency
- Payload Preference
- Post-Exploitation Macros
- Persistent Agent
Global Settings
Click “Administration > Global Settings”
HTTP payload are useful for client-side attacks or social engineering campaigns,
it will help to build the connection if the victim is behind a proxy
HTTPS will encrypt the connection but may not work via proxy
“Updates” will check any new update available and show notification icon, you
can set using proxy to check update (proxy set under Software Update)
174
Post-Exploitation Macros
Automatically launch post-exploit modules once a host is exploited

“Administration > Global Settings > Post-Exploitation Macros”, click “New Macro”
Input a name and click “Save” hence the module table will be shown
1
3
4
2
175
Post-Exploitation Macros
Search filter can be applied
Move the mouse on the module, the green plus icon will be shown at the
right, click it to add this module
A module configuration will be shown, click “Add Action” to add it
Click “Update Macro” to save the new added module
1
2
3
176
Persistence Listener
Persistence listener is a service running at Metasploit to
accept the payload connection, it must be associated 3
with a project.
Select the payload connection, e.g. HTTPS on IPv4
If the post exploitation module “Persistent Agent” is run,
a listener will be launched automatically
1
177
Persistence Agent
“Persistent Agent” is a post exploitation module which will make the target
connect back to Metasploit after reboot
You can set agent age or use “Persistent Agent Cleaner” later to remove it
Task log will show the copy of the agent file
1
5
3
2 4
178
Payload Generator
Payload can be a code (e.g. exe file) to be run directly at the target, it will
connect back to a listener at Metasploit (1)
Classic has more configuration, Dynamic generates payload avoid AV detection (2)
“Payload Generator” can generate payload for different OS (3), connection type
(4) must match with the listener (5)
2
3 4 3
1 4
179
Nexpose Vulnerability Validation
A Nexpose console must been added in “Administration > Global Settings >
Nexpsoe Console”
“Vulnerability Validation” wizards on the home page
A new project will be created and you need to give a name to it
You can import an site from Nexpose, all hosts in the site will be have auto-
exploitation applied. Or you can select a scan template for Nexpose to scan on
the target(s)
2
3
3 4
3
1
4 5
180
Nexpose Vulnerability Validation
Exploit is pretty much the same as “Exploit a host” discussed above except
there is an option of “Clean up session when done”
Report can be generated after the validation automatically but only two types
can be chosen
181
Exception Feedback
Select the green tick vulnerabilities, then click “Nexpose Exception”.
Select the Nexpose Console where to feedback exception list. You can
configure the exception such as expiration date.
For each vulnerability, select the reason. Then click “Create Exceptions”.
182
LAB – Advanced Techniques
Add a Macro with exploit “Windows Gather Credential”

Add a Persistence Listener with the new added Macro
Implement the persistence agent on the WinXP
Restart and login the WinXP, then check the session
Run a Vulnerability Validation Wizard by importing the site from
Nexpose
183
Questions
If you want to run the same post-exploitation modules every time a

device is exploited, what should you do?
In the lab, after the WinXP rebooted, what information you can find
that the agent is working?
184
Summary
185
Metasploit Pro Workflow – Launch Metasploit
Collect system
evidence from
sessions
Access/Search
Bruteforce Targets
scan
Create Proxy or
VPN Pivots
Post-Exploitation
Modules
Social
Engineering
186 Use Web

Exploiting
Resource
Metasploit home site: product news, search module, download

• http://www.metasploit.com
Metasploit community: documents, information sharing, ask questions,

videos
• https://community.rapid7.com/community/metasploit
Technical Support email:

• support@rapid7.com
187
Metasploit Professional Training
Congratulation! Training Completed!
188

Metasploit Pro v4.11

Uploaded by

Copyright:

Available Formats

Metasploit Pro v4.11

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Metasploit Pro v4.11

Uploaded by

Copyright:

Available Formats

Metasploit Pro v4.

©Rapid7, LLC 2015 All Material is Privileged & Confidential

Rapid7 Nexpose, which received the highest

• Collaborate more effectively with team members in concerted network tests

Vulnerability - a security hole in a piece of software, hardware or operating system that

Vulnerability Management Penetration Testing

Metasploit – Metasploit server

- How to manage user

- How to build a project

• License Expiration Date

Run “Check for Updates”

• Network boundaries help you set and maintain scope

• Individuals can be added or removed from projects

Input name and IP range

Each student create a project to cover the targeted IP (Metasploitable2

Which IP(s) or IP range(s) is included in the project?

- How to import scan result

- How to integrate with Nexpose

- How to find vulnerability

Three ways to perform host discovery

• Import results from other tools

• Nexpose the target network

Choosing the right approach

• Import works when you already have scan data

• Nexpose is great when you want a full assessment

Go to the project and click button

• Great at detecting firewalled systems

Make sure all common ports are used

• Add any extra open/allowed ports to the list

Useful options for additional discovery

• Custom Nmap command line arguments

“Dry run” will simulate the scan and

Scan the two IP in the lab

Where shows the time used to scan?

Click Import on the manual bar, select the

• OS information is often wrong due to bad sigs and

• Configure the scan targets, template, and credential

Useful for quick vulnerability assessments

• Protip: Choose Export over Simple

Add a Nexpose Console

A Hosts Status is at the rightmost column

• 2. Cracked – Credentials were bruteforced but no session

• 3. Shelled – An open session was obtained on the device.

• 4. Looted – Evidence has been collected from the device.

Add a tag to group two hosts

Why does a host have “Looted” status?

- What are client-side attack and server-side attack

If Meterpreter is selected and it fails, then Command Shell will be used

Meterpreter is an advanced dynamically extensible payload that uses in-

• no process is created • extension are loaded over TLV (TLS/1.0)

• new features can be added to Meterpreter without rebuilding it

• All standard exploits extended to target a range

• Use any modules you already know and love

Granular control of module options

• Exposes the Advanced and Evasion options

Payload selection is nearly automatic

Search “app:server” for Server-Side Attack module

For Server-Side Attack, do you need to setup listening IP and port?

- How to run Bruteforce

Select the “Minimum Reliability”

Path can be excluded (e.g. logout)